DNSSEC for recursive server
Techi
techi at tellas.gr
Fri May 21 06:54:01 UTC 2010
Hallo,
I try to setup (=prepare) the our DNS servers for the DNSSEC era.
I have a Centos 5.x with Bind 9.3.6-4. I have one problem and 2 questions.
The problem is that the specific version seems to lack support for DNSSEC
validation! named-checkconf returns the following error:
/etc/named.conf:212: unknown option 'dnssec-validation'
!!!
Now the questions:
1. I try to understand the concepts of DNSSEC and the signing of root zones.
As far as I understand, all I need to add in my bind's configuration are the
following lines:
****************************
dnssec-enable yes;
dnssec-validation yes;
****************************
Is that correct?
If not so, then what DLV should I use? That if ISC, IANA's, RIPE, what? And
how?
2. At another server (opensuse with bind 9.6) I modified the named.conf files
are above and then performed the query: dig +multiline +cd +dnssec dlv.isc.org
dnskey @localhost
The answer was:
*********************************
; <<>> DiG 9.6.1-P3 <<>> +multiline +cd +dnssec dlv.isc.org dnskey @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16333
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org. IN DNSKEY
**************
So, the specific server is DNSSEC aware and I will not face any issues with the
root zones signing at 01/07/2010. Correct?
Thank you.
More information about the bind-users
mailing list